» google_compute_packet_mirroring

Packet Mirroring mirrors traffic to and from particular VM instances. You can use the collected traffic to help you detect security threats and monitor application performance.

To get more information about PacketMirroring, see:

» Example Usage - Compute Packet Mirroring Full

resource "google_compute_instance" "mirror" {
  name = "my-instance"
  provider = google-beta
  machine_type = "n1-standard-1"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = google_compute_network.default.id
    access_config {
    }
  }
}

resource "google_compute_packet_mirroring" "foobar" {
  name = "my-mirroring"
  provider = google-beta
  description = "bar"
  network {
    url = google_compute_network.default.id
  }
  collector_ilb {
    url = google_compute_forwarding_rule.default.id
  }
  mirrored_resources {
    tags = ["foo"]
    instances {
      url = google_compute_instance.mirror.id
    }
  }
  filter {
    ip_protocols = ["tcp"]
    cidr_ranges = ["0.0.0.0/0"]
  }
}
resource "google_compute_network" "default" {
  name = "my-network"
  provider = google-beta
}

resource "google_compute_subnetwork" "default" {
  name = "my-subnetwork"
  provider = google-beta
  network       = google_compute_network.default.id
  ip_cidr_range = "10.2.0.0/16"

}

resource "google_compute_region_backend_service" "default" {
  name = "my-service"
  provider = google-beta
  health_checks = [google_compute_health_check.default.id]
}

resource "google_compute_health_check" "default" {
  name = "my-healthcheck"
  provider = google-beta
  check_interval_sec = 1
  timeout_sec        = 1
  tcp_health_check {
    port = "80"
  }
}

resource "google_compute_forwarding_rule" "default" {
  depends_on = [google_compute_subnetwork.default]
  provider = google-beta
  name       = "my-ilb"

  is_mirroring_collector = true
  ip_protocol            = "TCP"
  load_balancing_scheme  = "INTERNAL"
  backend_service        = google_compute_region_backend_service.default.id
  all_ports              = true
  network                = google_compute_network.default.id
  subnetwork             = google_compute_subnetwork.default.id
  network_tier           = "PREMIUM"
}

» Argument Reference

The following arguments are supported:

  • name - (Required) The name of the packet mirroring rule

  • network - (Required) Specifies the mirrored VPC network. Only packets in this network will be mirrored. All mirrored VMs should have a NIC in the given network. All mirrored subnetworks should belong to the given network. Structure is documented below.

  • collector_ilb - (Required) The Forwarding Rule resource (of type load_balancing_scheme=INTERNAL) that will be used as collector for mirrored traffic. The specified forwarding rule must have is_mirroring_collector set to true. Structure is documented below.

  • mirrored_resources - (Required) A means of specifying which resources to mirror. Structure is documented below.

The network block supports:

  • url - (Required) The full self_link URL of the network where this rule is active.

The collector_ilb block supports:

  • url - (Required) The URL of the forwarding rule.

The mirrored_resources block supports:

  • subnetworks - (Optional) All instances in one of these subnetworks will be mirrored. Structure is documented below.

  • instances - (Optional) All the listed instances will be mirrored. Specify at most 50. Structure is documented below.

  • tags - (Optional) All instances with these tags will be mirrored.

The subnetworks block supports:

  • url - (Required) The URL of the subnetwork where this rule should be active.

The instances block supports:

  • url - (Required) The URL of the instances where this rule should be active.

  • description - (Optional) A human-readable description of the rule.

  • region - (Optional) The Region in which the created address should reside. If it is not provided, the provider region is used.

  • priority - (Optional) Since only one rule can be active at a time, priority is used to break ties in the case of two rules that apply to the same instances.

  • filter - (Optional) A filter for mirrored traffic. If unset, all traffic is mirrored. Structure is documented below.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The filter block supports:

  • ip_protocols - (Optional) Protocols that apply as a filter on mirrored traffic.

  • cidr_ranges - (Optional) IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • update - Default is 4 minutes.
  • delete - Default is 4 minutes.

» Import

PacketMirroring can be imported using any of these accepted formats:

$ terraform import -provider=google-beta google_compute_packet_mirroring.default projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}
$ terraform import -provider=google-beta google_compute_packet_mirroring.default {{project}}/{{region}}/{{name}}
$ terraform import -provider=google-beta google_compute_packet_mirroring.default {{region}}/{{name}}
$ terraform import -provider=google-beta google_compute_packet_mirroring.default {{name}}

» User Project Overrides

This resource supports User Project Overrides.